Data breaches and privacy violations are now commonplace. Unfortunately, the consequences for US companies involved can be complicated.
A company’s obligation to a person affected by a data breach depends in part on the laws of the state where the person resides. A person may be entitled to free credit monitoring for a specified period of time or may have the right to be notified of the breach sooner than somebody living in another state.
Companies are also subject to different regulations for protecting personal data depending on where they are headquartered and where they do business in the US.